MS CHAP v2 attack

Martyr

Vivek Ramachandran, Md Sohail Ahmad

This presentation debunking the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. We demonstrate that it is possible to retrieve the WEP key from an isolated Client - the Client can be on the Moon! - using a new technique called "AP-less WEP Cracking". After this presentation Pen-testers will realize that a hacker no longer needs to drive up to a parking lot to crack WEP. Corporations still stuck with using WEP, will realize that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, our discovery also has a great impact on the way Honey-pots work today and takes them to the next level of sophistication.

this paper discusses weakness of MS CHAP v2 that is used by most microsoft xp/vista clients to authenticate using their nt logon credentials.

as most people tick "connect if within range.." then an attacker simply broadcasts as authenticator AP for a specific corporation.

client "request service" -> Attacker
client <- [server challenge] Attacker
client [mschapv2 response] -> Attacker (save response for cracking offline)
client <- "access denied" Attacker

the client sends connect request, fake authenticator responds with challenge, client responds with ms chap v2 response - attacker collects the nt hash, then uses it to authenticate on the corporations network..yes?

i saw this discussed here

because xp supports both ms chap v1 and v2, an attacker could instruct the client to authenticate with ms chap v1 - this won't work with vista though.

on the subject of tls/peap being used before challenge response is sent from client to server to block eavesdropping - most clients have validation turned off, so couldn't an attacker just use any cert he liked? why not?

i think this is already being used for some time now by people with more malicious intentions.

mick.fr

Interesting thanks for the post.

As far as I know CHAP is not on Vista anymore, they got rid of all the legacy encryption protocols and are exclusively using the ones from the NSA. Then the US gov has half of the encryption keys (If not more, they made the technology so...) for any Windows Vista using remote access and the default protocols.
Which in essence means the NSA can quickly crack any remote connection from Vista using those protocols.

Scarry no?

lol

Capt'n Midnight

mick.fr wrote: »

Scarry no?

lol

scary is that Microsoft have lost some of their source code.
And since some of the employees are probably plants from the international intelligence community you'd get worried.

naskey was back in 1999
and it's not just microsoft http://www.heise.de/tp/r4/artikel/2/2898/1.html

Martyr

mick.fr wrote:

Scarry no?

lol

where did you read/hear about this?

i just noticed that alot of WIFI networks that employed PEAP/MS-CHAPv2 for authentication, didn't have certificate from CA.

So, they untick "connect to these servers" / "validate server certificate" which means that an attacker can impersonate as an access point, and tell a client searching for that access point to authenticate with it.

the attacker collects the mschapv2 response, and cracks offline.
there is a program that already does this, called asleap.
i initially thought it was only effective against Cisco LEAP (cut down version of MS-CHAPv2) but its also applicable to MS-CHAPv2, using NTLM1 rainbow tables..the vulnerability in MS-CHAPv2 is actually based on research by Mudge/l0pht carried out over 10 years ago!!

the open source, available PoC tool, ASLEAP, based on work by one researcher, (which was also based on work by mudge/schenier) discussed 4 years ago by joshua wright, (as i found out from some searching) exploits the problem already.

although his method of getting a client to accept an attackers certificate was based on sending the victim spam, and hoping they install the cert, thats not really necessary if the client doesn't validate the certificate in the first place..

and spam is probably not the most subtle way of getting a client to install a cert

it seems to be that deploying clients for mutual authentication, based on certificate or smartcard is too expensive for some corporations, and so they aren't implementing the security properly, leaving their networks open to attack.

mick.fr

Average Joe wrote: »

where did you read/hear about this?

Read about remote access protocols just before Vista went out last summer.
They all come from the NSA.

mick.fr

Capt'n Midnight wrote: »

naskey was back in 1999
and it's not just microsoft http://www.heise.de/tp/r4/artikel/2/2898/1.html

Yeah that is the reason why Linux is so popular in France, Germany in Gov entities.
Those govs are very well aware with what comes with IBM, Microsoft products.

Martyr

Read about remote access protocols...

yes, but where?
i'd like to have a read too.

mick.fr

Alright, more precisely Vista supports the NSA suite B (cryptographic algorithms )
Link below
www.nsa.gov/ia/industry/crypto_suite_b.cfm

From a Microsoft presentation

Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs
Higher special-security needs (e.g. nuclear security) – guided by Suite A (definition classified)
Announced by NSA at RSA conference in Feb 2005
Encryption: AES
FIPS 197 (with keys sizes of 128 and 256 bits)
Digital Signature: Elliptic Curve Digital Signature Algorithm
FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV
Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli)
Hashing: Secure Hash Algorithm
FIPS 180-2 (using SHA-256 and SHA-384)

And regulatory compliance:

Windows Vista cryptography will comply with:
Common Criteria (CC)
csrc.nist.gov/cc
Currently in version 3
FIPS requirements for strong isolation and auditing
FIPS-140-2 on selected platforms and 140-1 on all
US NSA (National Security Agency) CSS (Central Security Service) Suite B

Martyr

ok, i see what you mean now.

but this suite B is for u.s government classified/non-classified information, correct? ..are you saying that vista is shipped with this suite installed by default?

the only algorithm in that list designed by NSA is SHA-2, used for hashing, the others are all by independent cryptographers.

it would be suspicious if separate keys existed in vista that could not be identified, but nobody has mentioned anything to date..unless i missed that.

found interesting comment by bruce schneier.

NSA licensed Certicom's EC patents for $25 million last year, and recently announced the new US government standard for key agreement and digital signatures, called Suite B. It uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. Do you think that NSA is promoting ECC based crypto because they cannot crack RSA/DSA based one ?

I do not. I believe the NSA believes that ECC is strong. I wrote about ECC here:
http://www.schneier.com/crypto-gram-9911.html#EllipticCurvePublic-KeyCryptography

Although I wrote that in 1999, I am still skeptical about elliptic curves.

Or maybe just because they can crack RSA/DSA they prefer to protect USbusiness with ECC (supposed to be harder to crack)?

With sufficient key lengths, all of this is uncrackable. I don't believe that the NSA has any secret mathematics that they use to break RSA/DSA or ECC.

Would a quantum computer do the job ?

In theory, yes. In practice, we have no idea how to build one to do it. Maybe in fifty years. Or twenty-five.


is he turning senile? lol
maybe NSA wants people to think they believe ECC is secure, who knows.

i remember someone commenting before that ECC was relatively new technology, and the mathematics behind it wasn't that well understood..which could mean that NSA knows alot more about weaknesses in them, than the academics.

ecksor

What you say at the end is possible, but one of the reasons that ECC has been seen as attractive is that the problems which it relies upon for security are considered by the mathematical community to be probably much harder to attack than the integer factorisation which RSA's strength is presumed to derive from.

Martyr

i am guessing that AES/Rijndael could be known by NSA to have alot more weaknesses because of its algebraic/geometric structure?

and this was the concern of Eli Biham and a others on the selection process for AES - it would make sense for NSA to pick a weaker algorithm.

maybe i'm being paranoid, but i always thought SERPENT seemed like a more solid design, based on decades of research into weakness of DES..and biham (co-designer) has done quite alot of that himself.

Martyr

ms-chap v1/v2 brute force/dictionary attack tool (has multi-core support)
its very simple, just to see how fast it would run.
on E6750 2.66ghz, it computes around 22.2 million k/s brute force.

could be used with FreeRADIUS patch by joshua wright to capture MS-CHAP v1 or v2 credentials.

-h requires parameter of: <NT_RESPONSE><PEER_CHALLENGE><NTLM BYTES>

seems alot of colleges in ireland atleast, appear to use PEAP/TLS/MS-CHAP for authenticating students, some implementations, staff use their own cert.

attached file is 7zip archive, renamed to .txt so it could be attached.